In message , Tony F
inch writes:
> Florian Weimer wrote:
> >
> > I think you still can't serve UDP over IPv6 without per-client sate,
> > keeping both full RFC conformance and interoperability with the
> > existing client population. Pre-fragmentation to 1280 or so bytes
> > isn't enough, you al
Tony Finch wrote:
> ... don't fragment and restrict the EDNS buffer size to 1280. I'm
> somewhat amazed that DNS-over-fragmented-UDP works as well as it does.
> See also
> https://www.usenix.org/conference/lisa12/dnssec-what-every-sysadmin-should-be-doing-keep-things-working
and:
http://www.hpl
* Tony Finch:
> Florian Weimer wrote:
>>
>> I think you still can't serve UDP over IPv6 without per-client sate,
>> keeping both full RFC conformance and interoperability with the
>> existing client population. Pre-fragmentation to 1280 or so bytes
>> isn't enough, you also have to generate atom
Florian Weimer wrote:
>
> I think you still can't serve UDP over IPv6 without per-client sate,
> keeping both full RFC conformance and interoperability with the
> existing client population. Pre-fragmentation to 1280 or so bytes
> isn't enough, you also have to generate atomic fragments.
Or don'
-Original Message-
From: "Michele Neylon :: Blacknight"
Date: Wednesday, May 1, 2013 8:21 AM
To: Lutz Donnerhacke
Cc: ""
Subject: Re: [dns-operations] DNS Issue
>We've seen large companies' sysadmins being adamant that their firewall
>setup was
On May 1, 2013, at 9:40 PM, Florian Weimer wrote:
> I wonder when this statefullness of IPv6 UDP traffic will cause practical
> problems,
One rather suspects that there are many more implications to moving
fragmentation to the endpoint nodes which have yet to be fully understood (for
example,
* Joe Abley:
> The assumption is that "firewall" means "device that keeps
> state". This could be a firewall, or a NAT, or an in-line DPI
> device, or something similar. We're not talking about stateless
> packet filters.
I think you still can't serve UDP over IPv6 without per-client sate,
keepin
We've seen large companies' sysadmins being adamant that their firewall setup
was correct and that we didn't know DNS .. .. even though every single article
and test result proved otherwise ..
Never underestimate stupidity and ignorance :)
Mr Michele Neylon
Blacknight Solutions ♞
Hosting & Do
* John Kristoff wrote:
>> And why auditors do not like tcp53 open to public?
>
> They may have an outdated, naive view of what should be open and
> what shouldn't be? Show them the above and ask them why. I'd be
> curious what the response is.
"We have never seen TCP/53 in public beside strange
On Apr 26, 2013, at 8:24, Cihan SUBASI (GARANTI TEKNOLOJI) wrote:
> Hi,
>
> Also can someone explain why tcp53 should be allowed on the firewalls if dns
> is behind a firewall?
>
In addition to other already posted reasons, TCP isn't susceptible to
reflection attacks. (FWIW.)
> And why aud
Good timing...
On Fri, 26 Apr 2013, Cihan SUBASI (GARANTI TEKNOLOJI) wrote:
> Also can someone explain why tcp53 should be allowed on the firewalls if dns
> is behind a firewall?
>
> And why auditors do not like tcp53 open to public?
See, that's another of the arguments why DNS should *not* be b
> From: Jared Mauch
> Because someone told them the wrong thing and they don't know any
> difference. Just because they're an auditor doesn't mean they are
> clued. Simple thing would be to show them a dns query that requires
> tcp, such as:
Would you show anything to a doctor prescribing bloo
On Fri, 26 Apr 2013 12:24:01 +
"Cihan SUBASI (GARANTI TEKNOLOJI)" wrote:
> Also can someone explain why tcp53 should be allowed on the firewalls
> if dns is behind a firewall?
DNS over TCP is not just for zone transfers. Many legitimate queries
and answers, will be carried over TCP. Usuall
On Apr 26, 2013, at 4:32 AM, "Dobbins, Roland" wrote:
>
> On Apr 26, 2013, at 12:27 AM, Warren Kumari wrote:
>
>> I think that in many cases it is not that the named version doesn't support
>> randomization, but rather that they / their firewall group believes that
>> "DNS should only be all
On Apr 26, 2013, at 8:24 AM, "Cihan SUBASI \(GARANTI TEKNOLOJI\)"
wrote:
> Also can someone explain why tcp53 should be allowed on the firewalls if dns
> is behind a firewall?
EDNS0
> And why auditors do not like tcp53 open to public?
Because someone told them the wrong thing and they don't
-Original Message-
From: , Roland
Date: Friday, April 26, 2013 8:33 AM
To: "dns-operations@lists.dns-oarc.net List"
Subject: Re: [dns-operations] DNS Issue
>
>On Apr 26, 2013, at 7:24 PM, Cihan SUBASI (GARANTI TEKNOLOJI) wrote:
>
>> Also can someone explain wh
"Cihan SUBASI \(GARANTI TEKNOLOJI\)" wrote on
04/26/2013 08:24:01 AM:
> Also can someone explain why tcp53 should be allowed on the
> firewalls if dns is behind a firewall?
Because your authoritative server may return a truncated response
indicating the client should retry over TCP.
> And w
On Apr 26, 2013, at 7:29 PM, Phil Regnauld wrote:
> In general, vendors of attack mitigation equipment rarely advise you about
> what you'll need in the future, only what they can sell you now.
+1.
The architecture should be designed for horizontal scalability from the outset.
---
On Apr 26, 2013, at 7:23 PM, Joe Abley wrote:
> The number of stateful firewalls that can happily handle occasional flows of
> up to 100,000 flows per second two/from individual devices are few. "Yours
> probably isn't one of them."
I've seen 3mb/sec of spoofed SYN-flood take down a stateful f
On Apr 26, 2013, at 7:24 PM, Cihan SUBASI (GARANTI TEKNOLOJI) wrote:
> Also can someone explain why tcp53 should be allowed on the firewalls if dns
> is behind a firewall?
Truncate mode.
> And why auditors do not like tcp53 open to public?
'Security' misinformation spread by firewall vendors
Joe Abley (jabley) writes:
>
> The number of stateful firewalls that can happily handle occasional flows of
> up to 100,000 flows per second two/from individual devices are few. "Yours
> probably isn't one of them."
Corollary: whatever device you'll be putting in front of the DNS server
Of wbr...@e1b.org
Sent: Friday, April 26, 2013 3:11 PM
To: Dobbins, Roland
Cc: dns-operations@lists.dns-oarc.net List;
dns-operations-boun...@lists.dns-oarc.net
Subject: Re: [dns-operations] DNS Issue
> From: "Dobbins, Roland"
> The actual problem being that the DNS servers ought
On 2013-04-26, at 08:11, wbr...@e1b.org wrote:
>> From: "Dobbins, Roland"
>
>> The actual problem being that the DNS servers oughtn't to be behind
>> a firewall in the first place.
>
> Can you elaborate on your statement? I can guess what the reaction around
> here would be if I suggested i
> From: "Dobbins, Roland"
> The actual problem being that the DNS servers oughtn't to be behind
> a firewall in the first place.
Can you elaborate on your statement? I can guess what the reaction around
here would be if I suggested it.
Confidentiality Notice:
This electronic message and a
On Apr 26, 2013, at 12:27 AM, Warren Kumari wrote:
> I think that in many cases it is not that the named version doesn't support
> randomization, but rather that they / their firewall group believes that "DNS
> should only be allowed on port 53 (and UDP, natch)".
The actual problem being that
On Apr 25, 2013, at 11:35 AM, "Dobbins, Roland" wrote:
>
> On Apr 24, 2013, at 10:32 PM, Jason Bratton wrote:
>
>> I'm not saying I agree with that practice, but I can definitely imagine it
>> happening.
>
> Concur.
>
> If folks are running nameds which *don't* support source-port randomiza
On Apr 24, 2013, at 10:32 PM, Jason Bratton wrote:
> I'm not saying I agree with that practice, but I can definitely imagine it
> happening.
Concur.
If folks are running nameds which *don't* support source-port randomizations,
they need to patch/upgrade, anyways.
---
Paul Wouters wrote:
I have been hearing more reports of people in the last two weeks that
DNS queries originating from port 53 are getting blocked. slashdot.org
was one of those domains that started failing when your recursing name
server is configured to use a query port of 53.
We've seen seve
On Wed, 24 Apr 2013, Chip Marshall wrote:
Are you doing query source port randomization?
https://www.dns-oarc.net/oarc/services/porttest
I have been hearing more reports of people in the last two weeks that
DNS queries originating from port 53 are getting blocked. slashdot.org
was one of thos
On 2013/04/24, at 09:06, Samir Abidali wrote:
> I wonder if someone can guide me in the direction for troubleshooting my DNS
> issues.
> I work in the regional ISP, we have to DNS servers where it works fine for
> most of the Domain names but it cannot resolve some others, like dyn.com.
I wasn
On 2013-04-24, Samir Abidali sent:
> I wonder if someone can guide me in the direction for
> troubleshooting my DNS issues.
>
> I work in the regional ISP, we have to DNS servers where it
> works fine for most of the Domain names but it cannot resolve
> some others, like dyn.com.
>
> When I try
Dears
I wonder if someone can guide me in the direction for troubleshooting my DNS
issues.
I work in the regional ISP, we have to DNS servers where it works fine for most
of the Domain names but it cannot resolve some others, like dyn.com.
When I try to do dig + trace , below is the output,
32 matches
Mail list logo